fabookie | 96cfb6ff0bed243356b569d5bb44911f8214c9a63f577621b8ed4de8762576df

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
Size

4.2MB
MD5

c606d1a98096c134a3740cb2e951990e
SHA1

c6f23667b250fa98ae0f10503668e1d41d4996ac
SHA256

96cfb6ff0bed243356b569d5bb44911f8214c9a63f577621b8ed4de8762576df
SHA512

883715096e9c62dc7e4d5b9277de31536f0f4ac7203b2def65d2e9773de7d3b5110b2c5484a917c8bce70e3f1cbf9838ae3d09f81de2d7db2a8bfe92af95c99c
SSDEEP

98304:Ibhu1zNQzrgiH7hdjJXR85svk3upL/qkyZ9RVlWtH:IluzYF7hdjJXR85svkuLyjRVlS

Score

10^/10

fabookie ffdroider gcleaner onlylogger privateloader socelars discovery evasion loader persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

gcleaner

g-partners.live

gcl-partners.in

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d25-148.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Ffdroider family
ffdroider
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Infos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Infos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Infos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Infos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Infos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Infos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Infos.exe

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001612f-136.dat	family_socelars

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/832-190-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1976-309-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1976-316-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/2908-320-0x0000000000400000-0x00000000009B8000-memory.dmp	family_onlylogger

Executes dropped EXE 12 IoCs

pid	Process
2812	Files.exe
2908	Install.exe
1636	KRSetp.exe
2668	jg3_3uag.exe
2356	File.exe
2672	Folder.exe
2432	Installation.exe
3028	pzyh.exe
780	pub2.exe
1168	Infos.exe
832	jfiag3g_gg.exe
1976	jfiag3g_gg.exe

Loads dropped DLL 55 IoCs

pid	Process
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2908	Install.exe
2908	Install.exe
2908	Install.exe
2812	Files.exe
2812	Files.exe
2812	Files.exe
2812	Files.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
780	pub2.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
3028	pzyh.exe
3028	pzyh.exe
3028	pzyh.exe
3028	pzyh.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000015e18-69.dat	vmprotect
behavioral1/memory/2668-83-0x0000000000400000-0x000000000063D000-memory.dmp	vmprotect
behavioral1/memory/2668-87-0x0000000000400000-0x000000000063D000-memory.dmp	vmprotect
behavioral1/memory/2668-307-0x0000000000400000-0x000000000063D000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Files.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
241	iplogger.org
242	iplogger.org
9	iplogger.org
10	iplogger.org
11	iplogger.org
21	iplogger.org
51	iplogger.org
52	iplogger.org

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ipinfo.io
17	ip-api.com
19	ipinfo.io
32	api.db-ip.com
33	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016d96-98.dat	autoit_exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000174a2-187.dat	upx
behavioral1/memory/832-190-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1976-309-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x000b0000000174a2-306.dat	upx
behavioral1/memory/1976-316-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1208	2668	WerFault.exe	33
2480	780	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg3_3uag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pzyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1732	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006071a8c1fce82244a1dea67bfa751aac000000000200000000001066000000010000200000007f42be1381a4629e37209c593f479ed5b9e09ac619e3e5ead50e3a82357d796d000000000e800000000200002000000087973f9c1b06f1de327dac38d8f61a9fef7c8452bc0855594cfbb709eb24b49090000000987de5474ca37ab84965026725de75bd612338dd37a9afbc1162f28f8f113e9eb92e94bf8b1227044fb09b6ccfea3af69eb077d1cf1d953e619e587100d660fe908f31e2586d1a01cca37c5314a069eaf63e7b48d557c263f901eea44a796fd21a4d0347a7b31fddc1a7b5670f4bdcbbc0cc8f004ab86cbe6568294ee1cdc8f338f2f16fb90ce66c54230624bec3022340000000bfcf69c09e64597e9cccb8e2916eafca03ab953608ce114c382dbe9ddd4c4f84adae55c7d80062a942627970ec8bf5638708ba400bc543273e54e99532634794	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006071a8c1fce82244a1dea67bfa751aac00000000020000000000106600000001000020000000a829be26357591a5723c9c5d3b9c038a059c968676bdd413f34a9a9d6b2fb909000000000e80000000020000200000007fb4e56ee0b8056a89e7afdb2b2178ab5315ab1eb2303c0fd9360543baf2040c20000000681f9d63280dc8e34b8af01043f1a5099218a04142063cd1f54619d3e8604c5e40000000a9a45bca3268b0624d69760244452a487339c3dc79fe106b0582b4e6fe0958518b1fc13a766b58bba8007099c84d8f2935660ce2eb85d8eb1a5867f200e73181	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439536790"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e0f9d9d246db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10E3F3D1-B2C6-11EF-9F30-7694D31B45CA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\wwwDFF7.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Samk.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwC787.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Samk.url\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdsa.url:favicon	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	jfiag3g_gg.exe
1280	iexplore.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	KRSetp.exe
Token: SeCreateTokenPrivilege	2432	Installation.exe
Token: SeAssignPrimaryTokenPrivilege	2432	Installation.exe
Token: SeLockMemoryPrivilege	2432	Installation.exe
Token: SeIncreaseQuotaPrivilege	2432	Installation.exe
Token: SeMachineAccountPrivilege	2432	Installation.exe
Token: SeTcbPrivilege	2432	Installation.exe
Token: SeSecurityPrivilege	2432	Installation.exe
Token: SeTakeOwnershipPrivilege	2432	Installation.exe
Token: SeLoadDriverPrivilege	2432	Installation.exe
Token: SeSystemProfilePrivilege	2432	Installation.exe
Token: SeSystemtimePrivilege	2432	Installation.exe
Token: SeProfSingleProcessPrivilege	2432	Installation.exe
Token: SeIncBasePriorityPrivilege	2432	Installation.exe
Token: SeCreatePagefilePrivilege	2432	Installation.exe
Token: SeCreatePermanentPrivilege	2432	Installation.exe
Token: SeBackupPrivilege	2432	Installation.exe
Token: SeRestorePrivilege	2432	Installation.exe
Token: SeShutdownPrivilege	2432	Installation.exe
Token: SeDebugPrivilege	2432	Installation.exe
Token: SeAuditPrivilege	2432	Installation.exe
Token: SeSystemEnvironmentPrivilege	2432	Installation.exe
Token: SeChangeNotifyPrivilege	2432	Installation.exe
Token: SeRemoteShutdownPrivilege	2432	Installation.exe
Token: SeUndockPrivilege	2432	Installation.exe
Token: SeSyncAgentPrivilege	2432	Installation.exe
Token: SeEnableDelegationPrivilege	2432	Installation.exe
Token: SeManageVolumePrivilege	2432	Installation.exe
Token: SeImpersonatePrivilege	2432	Installation.exe
Token: SeCreateGlobalPrivilege	2432	Installation.exe
Token: 31	2432	Installation.exe
Token: 32	2432	Installation.exe
Token: 33	2432	Installation.exe
Token: 34	2432	Installation.exe
Token: 35	2432	Installation.exe
Token: SeDebugPrivilege	1732	taskkill.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2356	File.exe
2356	File.exe
1280	iexplore.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe
2356	File.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2812	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2812	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2812	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2812	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2908	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 1636	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	32
PID 2180 wrote to memory of 1636	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	32
PID 2180 wrote to memory of 1636	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	32
PID 2180 wrote to memory of 1636	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2668	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2668	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2668	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2668	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	33
PID 2812 wrote to memory of 2356	2812	Files.exe	34
PID 2812 wrote to memory of 2356	2812	Files.exe	34
PID 2812 wrote to memory of 2356	2812	Files.exe	34
PID 2812 wrote to memory of 2356	2812	Files.exe	34
PID 2668 wrote to memory of 1208	2668	jg3_3uag.exe	35
PID 2668 wrote to memory of 1208	2668	jg3_3uag.exe	35
PID 2668 wrote to memory of 1208	2668	jg3_3uag.exe	35
PID 2668 wrote to memory of 1208	2668	jg3_3uag.exe	35
PID 1280 wrote to memory of 2856	1280	iexplore.exe	37
PID 1280 wrote to memory of 2856	1280	iexplore.exe	37
PID 1280 wrote to memory of 2856	1280	iexplore.exe	37
PID 1280 wrote to memory of 2856	1280	iexplore.exe	37
PID 2180 wrote to memory of 2672	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2672	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2672	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2672	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2432	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	40
PID 2180 wrote to memory of 3028	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	41
PID 2180 wrote to memory of 3028	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	41
PID 2180 wrote to memory of 3028	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	41
PID 2180 wrote to memory of 3028	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	41
PID 2180 wrote to memory of 780	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	42
PID 2180 wrote to memory of 780	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	42
PID 2180 wrote to memory of 780	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	42
PID 2180 wrote to memory of 780	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	42
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 2180 wrote to memory of 1168	2180	c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe	43
PID 780 wrote to memory of 2480	780	pub2.exe	44
PID 780 wrote to memory of 2480	780	pub2.exe	44
PID 780 wrote to memory of 2480	780	pub2.exe	44
PID 780 wrote to memory of 2480	780	pub2.exe	44
PID 3028 wrote to memory of 832	3028	pzyh.exe	45
PID 3028 wrote to memory of 832	3028	pzyh.exe	45
PID 3028 wrote to memory of 832	3028	pzyh.exe	45

C:\Users\Admin\AppData\Local\Temp\c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c606d1a98096c134a3740cb2e951990e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2356
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
  "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 184
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1208
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Installation.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- C:\Users\Admin\AppData\Local\Temp\pzyh.exe
  "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 128
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\Infos.exe
  "C:\Users\Admin\AppData\Local\Temp\Infos.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:537619 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
36f8124826f05a4015efa2135528495f

SHA1
ae972fec3d6686d485dfafae8f7aa00d36e7c165

SHA256
03b2ee9fb634b9dfb780ea38c265cf96357634364ac57aacc1042d4d477ae825

SHA512
8f8fe24bc258ca5b2f3d47097a1674cbb88cd4712f5135d5ddc8204e08c022824f22fedb888f864a288c733f565926e07029b2138044ccf934f39da6051e8239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eecbe8f1ba0cee8eb6e5e4d9c43eca7

SHA1
96422784e50b3d952539354682cceb439b21c22e

SHA256
4cd2b104be2d86bd19cbd5d4c838f35cd03187306614aefe33f27c96f68157c1

SHA512
72bbbcdb7743f143116797848dbef3e4b5419a881a0f9b054954328264f6e9a159e33cc740ae2e87ccaa9cdcd43d87bb0eb9ae79b29b9d629c3340b5713e3439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb6746dc372b9c603c7e4fc5ca3ee2a9

SHA1
d3f3f1332958f6c4a244ec4025938065beb01368

SHA256
d3deec9c2cd8e1dc67969d705e28cc2a237445ac2130897fb5ab22d9aaf3dc38

SHA512
6daa21a68ffc1467c885abaefe09488bd4c6138036a796110587a0bb5bd9eea5b80f5fba918cea73d93a9331570aff0527f10caee1df60b5112eac3091ec5067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbc74956d2f075c75a3392526aed246a

SHA1
00b68cb60966866257903974a3884d49a679b144

SHA256
041bead8e17294ac3df32c1732881b5e848f58ce4e59582a87478c846725fbe0

SHA512
8d6a132e71972753cdd73e54a1ccc7b2822b4756e24d4a227fef588a29909ad4c928c6d760b8aac0e3d9c840c430b2d3938a49e238dcbbafc2793ebeaf871a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cebe95c0967d66461bfc7f9aa9f019c

SHA1
6eb8e568d7685cb8d60977da46a62fcd26fcb046

SHA256
5b5a5ca51a10b88034945bd4ada23fe3d5b7cddd80031b13c2093a25bbdd0e8a

SHA512
04044bc9f51ae4bf4069c2eded9f5a462a2fbe477b2b278c047826af46ef4e69a3f2d84e7a7e90b680efcb22947afabdd1149cd8c7d9117f18cd6479d7ec8220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c208c00c2fca967cbb37b092378c615

SHA1
44e7313fc68f8f373901e96443613c7bff0e8246

SHA256
b517118f26c575729decda8273e02c7f34f4c52ae07203bedbfe49f66406ca83

SHA512
c3a37e044b85bae5cb6d5e7c0d218e77e9a5dfc5d5454f8140ea0099283af83fe33e5f17fc24baa93e4800cf9e07c5d6a1b3d8f5e1cdcf0beb85a9af46dceb52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb5ac6da98bf74a96456c7f56bceaa64

SHA1
5a32b7a0df06dc99c3c71ad85d5c68f913149448

SHA256
42d4dc06fe55f2a490197104e65e508bff0db78bcf916966054bb9c9b1f86da8

SHA512
a02077181cb639075abe8b150feed961fa7ea6fb38d8257648048da5334dfe503b6d4b6addba60c9bd9e0b82cc112f7c9378d635716b322a5dd9e11e96e4d962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72de9fdc5c6c161e19ee26cd62413242

SHA1
eba3ee2efa18470ad3d8f3f882eed405d5cf0785

SHA256
a979fc009d74252650a235c2901833933e2ebe9ede2ba374745c14012597ca8c

SHA512
0f3d9bbbecd57d9ddcf949534df4da820147ec87f901b5f26ed2b16804b496af08f4af1d47db2e7d4565c926b6a4bfa5d39d65eecda6a2b957d3970c65acd2ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43acd420966f72aeb7be66dc596c4519

SHA1
8cb231caa93105278f9c68884682d41da07cd396

SHA256
cf26b6258be8746d669c842787b6231a752546b5ce000f24ec0c8bb4de524663

SHA512
a09f5918c30e09f944bea5ae1877dfdc2542cdb8d7502285200a0d8a8f17b2772ae149252585c012126ce7e74200db19e4d4017c832c01158edba6346666ee1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3198d16c89ec00a5d3e85f15cab97716

SHA1
843468b046255c114843e09b0677a6fa94f441e7

SHA256
12703134c046a5e2d1fab9c2894794d176f12eff9bcaae16ea09646765747195

SHA512
7176002b911e85dc2b209faaf808f856f3e6dd61e3b5ffee7caf49e47b9b5ea11b1b82b8a21c2090b59a264d6355aeb1883fde58b8118b7c6c08f9f55e2a4397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cd29aaecd8c48b5f8d374bc0af66892

SHA1
e9a4d62efb33ae919482e3694b6dd7c032a954ca

SHA256
fc9046eeb32a36fa3835ab790336d17f411beebaa9586007364ea11ad848ccb5

SHA512
0b56dd02541d5173cb7b25f46bc8083515c2ecff92075b637aeebaa94c6c41b0b6a6ef0ec22ea42259d9d5d9fd07dc3416bed44c904b0995a9c34b2ccfdee432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9698a41d2f00d00882dd73190ea9b3b

SHA1
de57485439f99d5d6bbd8efbbca4048ddee94c91

SHA256
a015abefb994d47039e95ec990c61635d7f4653a2506b48b97689f402cb2a7ea

SHA512
1bdeef4765bb086576a1e0e4d4ba97ed3d305d5172dfa37e2c3c32503dcb8c7d1cc696acdd54f2da3346ea82c79fd1c332752e9e43a0c599f41180f4630357bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d6808ad1c9926ce064764a2a5ef87e

SHA1
99b3e3b22533f650e28cd4864f560679f9dedafd

SHA256
17c540184ca8b29d2b8704d9b2430041491e426eeeb52f06cb1e52556dba54e8

SHA512
9ae1d75681ac268f2fa4ae6a22e6583e322172e936c8b56904692a5e083a6bf9beada380bdfbc35e06fbc2e5bd55144c516f9334e10b5dabfe117777585001a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab94484ba9a98dd8f02661568160db81

SHA1
a1a77e17e56af0cc3242b916598221b8141789d9

SHA256
2b4613b1c86d2cb9e6d5871f97f3efd000b3c45240decf4618e5178328aace63

SHA512
d633a6842a4a5c5d411ae613b0464370ffee098dfab51006eea22880a295921c8ea52d9d7119155e674ead21caf753a316a6c8934a44fbf1eeda21f7174d165d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fcda776110bd49cf386773677b54eeb

SHA1
d559fff44f967d37b43d4f2b5f130365a8f01924

SHA256
300b52d5b47744cec9956828f1608a28fd5554f7f0a7a97c659c792492a7c192

SHA512
26034d8bf3aa07dfaae79017b330a7a51d461222b9adb195cd71c347db38ff3f1f148d763e90322cb3d18b37af42507de19e69562d31057d964aa0dba88cd52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40a9952c113b3d5c7772b347a876ab04

SHA1
842397d27b3c713d25fba631a6c3732afb8f73f3

SHA256
503f7102d1c4dde19f704f37f5af4749246f47356f4b9a95ddf9d7e403210c2a

SHA512
000577e39de25b45aaa11e8bb5a47662d67a14a5c9575bef9356823ac9e98cae0cf0bd9af392ab1834ed1160c4cb499d7b99bb174c1736a6249f38b15f6341f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4aa705b66260e7a50e6db3a9cd5f5d4

SHA1
dbc1f626a3a937f1fbb0ea3569cc784404b063d1

SHA256
18809f6dbc2d58c2f63d585858d49cce2ee2eaab24e775e3bfaf46e3ee27ec62

SHA512
f958b4fc15bce8c5af75880085f1500284de6f0d24327741fb8838e085506497dfa8b35b08aad424bfad8d7f211f3619a7372aa7847ab63193f6e4ff4ff00de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3cea7007bdeaa5066ed34c46315a7e3

SHA1
e33d065d469c1bd8a481c61c5896152f72b5f530

SHA256
c5cda45ba9034fa4ba19ce774059ba777914354c02146a859a678224de445693

SHA512
28f3a195ac52092b43143150da09f2fd2fe735c42a18a948cc298d224960edead774aedb5b85428c596db2d1fa261a640e4d0ad2bce9cc89b4343ba555a49fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8991f9d5e0fc0c8d454d7a5532ae348

SHA1
207e2dee43e7b91c419bbfdfcbada67e860a0b10

SHA256
09e034925c794ede872cef484ecff46821fad4261e0c7a22b380a9a0da79a652

SHA512
219888d8ee661d9568921d912387fde9621b0446ab71102189987b0c1059219942ee7b6777c81bdbce5aa582289a88c23c919339b366fdc3c59066dbdc1ec32e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df0512e40fe9fd5752a7ea1d9c3926d6

SHA1
a31f8c72b58a6a0643348dca0d92d30f06a1cdad

SHA256
6483dc788a3b427a5ba7c50fdb0746e74c10aa59152aa0b0b5ec0a5dc67ae5a5

SHA512
d2ecbd1942b6ba6050b1a40e38965ce5432e705944853941cd63b90ef47f340f9a516199e08c1bbeea4eb4fb241c8066b41ab3a25b4bd6fd0d8627f05e12a6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
51d526dab02d5c6a6639c8d58324a110

SHA1
d5947b3785568df304c610b4091c68effca54135

SHA256
c803eda841d28cc84f498a56a2d27d9911d2365d10d6de27d0db27e32d8389c6

SHA512
c153ac7e759c5465bb9390d2aab8566e18e39eb6a5777fbf5018cd29c9028998e64be9a21b09fa91a3deaae47a4a16bcc0a40089ff71f471b2a3e179821ee65f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0fcc037f66d11c6da441868a87170f88

SHA1
06014b00ba9e6f73cb2e3d031c702d87a576cd5e

SHA256
231a718c92fda687a65994a78111716da10969626953fbd9a1b4fa5b1fe4e665

SHA512
b83d6a741012752d8db5e2a207b303020618d78dfdc15ab44121bab73b892cc6a12bbcd51af0587e53478da76fc1e912ad99ef1b1ba96c42aac5dfbd29201c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC581.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Infos.exe

Filesize
804KB

MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe

Filesize
1.4MB

MD5
6db938b22272369c0c2f1589fae2218f

SHA1
8279d75d704aaf9346e8f86df5aa1f2e8a734bb9

SHA256
a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e

SHA512
a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdsa.url

Filesize
117B

MD5
cffa946e626b11e6b7c4f6c8b04b0a79

SHA1
9117265f029e013181adaa80e9df3e282f1f11ae

SHA256
63a7a47e615966f06914b658f82bf2a3eac30a686ac2225805a0eedf0bba8166

SHA512
c52fbef9fbfd6a921c3cc183ee71907bbacf6d10ef822299f76af1de755427d49068829167d6cbf5175930d113bc60712fe32b548dae40aa4594d4fb3baee9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samk.url

Filesize
117B

MD5
3e02b06ed8f0cc9b6ac6a40aa3ebc728

SHA1
fb038ee5203be9736cbf55c78e4c0888185012ad

SHA256
c0cbd06f9659d71c08912f27e0499f32ed929785d5c5dc1fc46d07199f5a24ea

SHA512
44cbbaee576f978deaa5d8bd9e54560e4aa972dfdd6b68389e783e838e36f0903565b0e978cf8f4f20c8b231d3879d3552ebb7a8c4e89e36692291c7c3ffcf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC593.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe

Filesize
973KB

MD5
ecec67e025fcd37f5d6069b5ff5105ed

SHA1
9a5a0bed2212f47071ad27b28fe407746ecfad18

SHA256
51ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c

SHA512
a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwC787.tmp

Filesize
173B

MD5
7f2fcf922e34d3c10d2b7649417373d1

SHA1
75690cefcd8c9006b48eb07fac96e121f6c1c30f

SHA256
99cf67626b0c4ab00878c19dd929980a0d2c641cf325a68d130608c81cd284fb

SHA512
3b1d2c5cc2fa9ee14e563530b852295d3f75a6d2753ef3cfcc54aa0295857dd9d8ab49e688f332742590c948ade44a85df8695ac88890126e08fe202e2f921bb

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
685KB

MD5
41e45fcd46345be31c78446db673351a

SHA1
50d631a594e322cb9be5dc07e69a198655623a91

SHA256
3598c28a918534d00e845022a88f6b55adbb510f5d2afd2c550cf59b7b2ebff6

SHA512
a8e43d4f4c7e18e7cafffb44aee5f785114ec6393d9065cbd053e9b4f9fe81b1ef8318f41a040226eacbd318ae2357e432948d74230574adceaef335574908ac

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
1.0MB

MD5
78a5ec9002819fe21993f03ef1114c08

SHA1
e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d

SHA256
7cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b

SHA512
3d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
244KB

MD5
787638a838751a58ad66e3627c396339

SHA1
5ab421061a837c31ece4d8623abee5db53d570d6

SHA256
32a86c9d00dcf437686b2dc62740dfd6f033f75afb1f5cbc2345649d51cf15b6

SHA512
723c6a124faa7dd949bb5b78db2d279d7984827ff4b68b4e6e0b31afbe11d0e47c009e5a007134219022f14b818586a99de04763a8b41f00ce91c24214d2373c

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
152KB

MD5
a69478ad881932811b12fee82f666e74

SHA1
98ca7353ec7b3cb197c4f664601c464a6664a0b7

SHA256
c245699c1e9a1636c466768da92315ea910f2b62bcc53206f2696685544e5b23

SHA512
3bc440615dc369fb0d911c1f03f5b4f043085313e653212adc374a4bbb3796564dba9f49e379f510754d9eafe9e0ff25aa2f5bddc8870624e63dee28e662d045

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe

Filesize
846KB

MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
\Users\Admin\AppData\Local\Temp\jg3_3uag.exe

Filesize
757KB

MD5
d724170a0c6b106beffded4cad9178d6

SHA1
fc3786717156c791429cd3637557fe118db278c5

SHA256
f5b762cf3572fe83325ebf51fd50c04cfdfd120e267d8c2fa1b618d47e6529eb

SHA512
fd88e581854c7be4f4ba3a62c5b4365df06f8ddf04fb68b4bd24bf8d373b4f9282e09002dc66ab64664cabe4cf7069e7283d9ee6da803db2c0f7b16faf2b1191

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
179KB

MD5
3be6705f09f95c0a4294f9cc71adc5af

SHA1
b5ed129b0efd77f48ab4e795720c2c236a4f5ab1

SHA256
9f8357e4c8043a6b3f925cb786182675bc86b556bb0a41e7bcef27631587609f

SHA512
86a03557b2bd3b0e84173103fbd3026f822feba33cbbf720d17638cdc42ba939464eff2cd4c1a84935580b7bc935a09cf780ecafe69e9760d76236fa6e5ff355

Download Submit
memory/780-266-0x0000000000400000-0x0000000002BF0000-memory.dmp

Filesize
39.9MB

Download
memory/832-190-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1636-110-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1636-108-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1636-88-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/1636-109-0x00000000004D0000-0x00000000004F4000-memory.dmp

Filesize
144KB

Download
memory/1976-316-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1976-309-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2180-105-0x0000000003410000-0x0000000003412000-memory.dmp

Filesize
8KB

Download
memory/2180-85-0x0000000003BC0000-0x0000000003DFD000-memory.dmp

Filesize
2.2MB

Download
memory/2180-71-0x0000000003BC0000-0x0000000003DFD000-memory.dmp

Filesize
2.2MB

Download
memory/2668-307-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-87-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2668-83-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2812-530-0x00000000035A0000-0x00000000035A2000-memory.dmp

Filesize
8KB

Download
memory/2908-320-0x0000000000400000-0x00000000009B8000-memory.dmp

Filesize
5.7MB

Download
memory/3028-795-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/3028-794-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/3028-308-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/3028-310-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/3028-191-0x0000000000340000-0x000000000039B000-memory.dmp

Filesize
364KB

Download